Privacy Policy

MA

1
DATA PRIVACY POLICY


Sect. 1 General


We will process your personal data (e.g. title, name, address, e-mail address, phone number,
bank details, credit card number) solely in accordance with the provisions of the German data
protection law and the data protection law of the European Union (EU). The following provisions
will inform you, besides the information about the processing purposes, recipients, legal bases
and storage periods, also about your rights and the controller for your data processing. This
privacy policy applies only to our websites. If you are directed to other sites via links on our
pages, please familiarise yourself with the respective use of your data there.


Sect. 2 Inventory data


(1) Purpose of data processing
Your personal data you provide us during the ordering process are necessary for the conclusion
of a contract with us. You are not obliged to provide your personal data. However, we would not
be able to send you the goods without your address. For some payment methods we ask for the
necessary payment data in order to pass them on to a payment service provider commissioned
by us. Hence, the processing of your data collected during the ordering process is soley for the
purpose of contract performance.
If you send us a request by e-mail or by using the contact form, etc. before concluding the
contract, we process the obtained data to carry out pre-contractual measures and answer your
questions about e.g. our products.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (b) of the GDPR.
(3) Recipient categories
Payment service provider, shipping service provider, hosting provider, if necessary
merchandise management system, suppliers if necessary (drop-shipping).
(4) Duration of Storage
We store the data required for contract execution until the statutory warranty and, if applicable,
contractual warranty periods expire.
We store the data required under commercial and tax law for the statutory periods, generally
ten years (cf. § 257 German Commercial Code (HGB), § 147 Regulation of Taxation (AO)).
The data processed for the execution of pre-contractual measures will be deleted as soon as
the measures have been carried out and the contract cannot be concluded.
2


Sect. 3 Web Analysis with Google Analytics


(1) Purpose of data processing
This website uses Google Analytics, a web analysis service provided by Google LLC, 1600
Amphitheatre Parkway, Mountain View, CA 94043, USA. ("Google"). Google Analytics uses socalled
“cookies”, small text files, which are placed on your computer to analyze how you use
the website. The information generated by the cookie about your use of this website will be
transmitted and saved on server in the United States by Google. If the anonymizeIP function is
activated on this website, Google will shorten your IP address in advance within the member
states of the European Union or in other states which are parties to the Agreement on the
European Economic Area. Only in exceptional cases Google will transmit the full IP address
on server in the United States and will shorten there. Google will use this information for the
purpose of evaluating your use of our website, compiling reports on website activities and
providing other services related to website and internet usage for the website operators.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (f) of the GDPR.
(3) Legitimate interest
Our legitimate interest is the statistical analysis of user behavior for optimization and marketing
purposes. For your interest in data protection, this website uses Google Analytics with the
extension "anonymizeIP()", so that the IP addresses are only processed in an abridged form
in order to exclude direct personal reference.
(4) Recipient categories
Google, Partner companies
(5) Transfer to a third country
Google LLC, located in the USA, is certified for the EU-US Data Protection Agreement "Privacy
Shield", which guarantees compliance with the data protection rates applicable in the EU.
(6) Duration of Storage
Unlimited
(7) Right of objection
You can prevent the installation of the cookies in your browser settings. If you choose to
change your settings you may not be able to use the full functionality of this website. You
can also prevent Google from collecting the data generated by the cookie and relating
to your use of the website (including your IP address) and from processing this data by
Google by downloading and installing the browser plug-in available under the following
link: optout
You may also generate blocking by setting an opt-out cookie. If you want to prevent the
future collection of your data when you visit this website, please click here: Disable Google
Analycs


Sect. 4 Information about cookies


3
(1) Purpose of data processing
This website uses technically necessary cookies. These are small text files that are stored for
a short period in or by your Internet browser on your computer system. These cookies are
employed, for example, when several products must be inserted in a shopping basket.
Other cookies remain stored permanently and recognize your browser on your next visit. These
cookies are employed, for example, to store permanently your passwords for a customer
account.
(2) Legal basis
The legal basis for such processing is set out in Article 6 (1) (f) of the GDPR.
(3) Legitimate interest
Our legitimate interest is the functionality of our website. The user data collected by technically
necessary cookies and long term cookies are not used to create user profiles to preserve your
interest in data protection.
(4) Duration of Storage
The technically necessary cookies are usually deleted when the browser is closed. Permanently
stored cookies remain stored from a few minutes to several years.
(5) Right of revocation
If you do not wish these cookies to be stored, please deactivate the use of cookies in
your Internet browser. However, this may cause a functional limitation of our website.
Your consent to persistent cookies can be withdrawn at any time by deleting the cookies
in your browser settings.


Sect. 5 Rights of the data subject


If your personal data is being processed, you are the ‘data subject’ in terms of GDPR and you
have the following rights towards the controller:
1. Right of access by the data subject
You may ask the controller to confirm whether your personal data is processed.
In the case of such processing, you may request the following information from the controller:
(1) the purposes of the processing of the personal data;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data have been or will be
disclosed;
(4) the estimated period of time for which the personal data will be stored, or, if not possible,
the criteria used to determine that period;
4
(5) the right to request from the controller to rectify or erase the personal data or the right
to restrict the processing of personal data concerning the data subject or to object to such
processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) the right to all available information on the source of the data if the personal data are not
collected from the data subject;
(8) the existence of automated decision-making, including profiling in accordance with Article
22 (1) and (4) of the GDPR and - at least in these cases - meaningful information for your about
the logic involved, as well as the consequences and intended effects of such processing.
As a data subject, you have the right to be informed whether the personal data concerning you
are transferred to a third country or to an international organisation. In this regard, you may
request to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to
the transfer.
2. Right to rectification
You have the right to have corrected and/or completed your personal data from the controller
if your personal data processed is incorrect or incomplete. The controller has to make the
correction without delay.
3. Right to restriction of processing
You have the right to obtain from the controller restriction of processing where one of the
following applies:
(1) if you contest the accuracy of the personal data relating to you for a period of time that
enables the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you refuse to erase the personal data and request the
restriction of the use of the personal data instead;
(3) the controller no longer needs the personal data for the purposes of processing, but you
need them to establish, exercise or defend legal claims; or
(4) if you have lodged an objection against the processing in accordance with Art. 21 (1) GDPR
and it has not yet been determined whether the legitimate reasons of the controller outweigh
your grounds.
Where processing of personal data relating to you has been restricted, such data may, with the
exception of storage, only be processed with your consent or for the purpose of establishing,
exercising or defending legal claims or for the protecting of the rights of another natural or legal
person or for reasons of an important public interest of the Union or of a Member State.
If the restriction of processing has been restricted in accordance with the conditions mentioned
above, you will be informed by the controller before the restriction of processing is lifted.
5
4. Right to erasure
a) Obligation regarding erasure
You have the right to obtain from the controller the erasure of your personal data immediately
and the controller is obliged to erase this data without delay where one of the following reasons
applies:
(1) the personal data are no longer necessary for the purposes for which they were collected
or otherwise processed;
(2) you withdraw your consent on which the processing is based accordance to point (a) of
Article 6 (1), or point (a) of Article 9 (2) GDPR and where there is no other legal ground for
the processing;
(3) you submit an objection to the processing accordance to Article 21 (1) of the GDPR, and
there are no legitimate reasons for the processing, or you lodge an objection against the
processing accordance to Article 21 (2) of the GDPR;
(4) your personal data have been unlawfully processed;
(5) your personal data need to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
(6) your personal data have been collected in relation to the offer information society services
referred to Article 8 (1);
b) Obligation to inform other controllers (third parties)
If the controller has made your personal data public and is obliged to erase them accordance
to Article 17 (1) of the GDPR, he has to take reasonable steps, taking into account the
available technology and the cost of implementation, including technical measures, to inform
the controllers who process the personal data that you, as the person concerned, have
requested the erasure of any links to, or copy or replication of those personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary:
(1) for exercising the right of freedom of expression and information;
(2) for fulfilment of a legal obligation which requires processing by the law of the Union or of
the Member States to which the controller is subject, or for the performance of a task carried
out in the public interest or the exercise of official authority transferred to the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and
(i) of Article 9 (2) as well as Article 9 (3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research or for statistical
purposes in accordance with Article 89 (1), insofar as the right referred to in paragraph 1 is likely
to make it impossible or seriously impair the achievement of the objectives of such processing;
or
(5) for the establishing, exercising or defending legal claims.
6
5. Notification obligation
If you have made use of your right to correct, erase or restrict the processing of your personal
data, the controller is obliged to inform all recipients to whom the personal data have been
disclosed of this correction or erasure of the data or limitation of the processing, unless this
proves to be impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the controller.
6. Right to data portability
You have the right to receive the personal data relating to you which you have provided to the
data controller, in a structured, commonly used and machine-readable format. In addition, you
have the right to transmit this data to another controller without hindrance by the controller, who
has been provided with the personal data, where:
(1) the processing is based on a consent in accordance with the point (a) of Article 6 (1) or point
(a) of Article 9 (2) or on a contract in accordance with the point (b) of Article 6 (1); and
(2) the processing is carried out using automated means.
In exercising this right, you also have the right to have your personal data are transmitted
directly from one controller to another, as far as this is technically feasible. Freedoms and rights
of other persons may not be affected thereby.
The right to data portability is not applicable to the processing of personal data necessary for
the performance of a task carried out in the public interest or in the exercise of official authority
given to the data controller.
7. Right to object
For reasons arising from your particular situation, you have the right to object at any time to
processing of personal data concerning you, which is carried out based on point (e) or (f) of
Article 6 (1); this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you, unless the controller
can prove that there are compelling legitimate grounds for the processing that outweigh your
interests, rights and freedoms or the processing serves to establish, exercise or defend legal
claims.
Where the personal data concerning you are processed for direct marketing purposes, you
have the right to object at any time to processing of personal data concerning you for such
marketing; this also applies to profiling, insofar as it is related to such direct marketing.
Where you object to the processing for the purposes of direct marketing, the personal data
concerning you will no longer be processed for these purposes.
7
In the context of the use of information society services, and notwithstanding Directive 2002/58/
EC, you have the possibility of exercising your right to object by automated means using
technical specifications.
8. Right to withdraw the declaration of consent under Data Protection Act
You have the right to withdraw your declaration of consent under Data Protection Act at any
time. The withdrawal of the consent does not affect the legality of the processing carried out
on the basis of the consent until the withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing,
including profiling, which has legal effect on you or which significantly impairs you in a similar
manner.
This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and a data
controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also
lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data in
accordance with Article 9 (1), unless point (a) or (g) of Article 9 (2) applies and appropriate
measures to safeguard the rights and freedoms and your legitimate interests are in place.
Regarding the cases referred to in (1) and (3), the data controller has to take appropriate
measures to safeguard the rights and freedoms and your legitimate interests, at least the right
to obtain human intervention on the part of the data controller, to state his or her own position
and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge
a complaint with a supervisory authority, in particular in the Member State of your habitual
residence, place of work or place of the alleged infringement if you consider that the processing
of your personal data infringes this Regulation.
The supervisory authority with which the complaint has been lodged is to inform the complainant
on the progress and the outcome of the complaint including the possibility of judicial remedy
accordance to Article 78.
8


Responsible for data processing:
Tabletop-Art GmbH
Gollierstr. 70
80339 München
Phone: (_____)
info@tabletop-art.eu
Document produced and updated by janolaw AG.